WIP

Author: PaulAsjes

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 WorkOS
+Copyright (c) 2024 WorkOS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

requirements-dev.txt

@@ -0,0 +1,9 @@
+flake8
+pytest==8.3.2
+pytest-asyncio==0.23.8
+pytest-cov==5.0.0
+six==1.16.0
+black==24.4.2
+twine==5.1.1
+mypy==1.12.0
+httpx>=0.27.0

requirements.txt

@@ -0,0 +1,4 @@
+httpx>=0.27.0
+pydantic==2.9.2
+PyJWT==2.9.0
+cryptography==43.0.3

setup.py

@@ -10,6 +10,11 @@
 with open(os.path.join(base_dir, "workos", "__about__.py")) as f:
     exec(f.read(), about)
 
+def read_requirements(filename):
+    with open(filename) as f:
+        return [line.strip() for line in f
+                if line.strip() and not line.startswith('#')]
+
 setup(
     name=about["__package_name__"],
     version=about["__version__"],
@@ -27,19 +32,9 @@
     ),
     zip_safe=False,
     license=about["__license__"],
-    install_requires=["httpx>=0.27.0", "pydantic==2.9.2"],
+    install_requires=read_requirements("requirements.txt"),
     extras_require={
-        "dev": [
-            "flake8",
-            "pytest==8.3.2",
-            "pytest-asyncio==0.23.8",
-            "pytest-cov==5.0.0",
-            "six==1.16.0",
-            "black==24.4.2",
-            "twine==5.1.1",
-            "mypy==1.12.0",
-            "httpx>=0.27.0",
-        ],
+        "dev": read_requirements("requirements-dev.txt"),
         ":python_version<'3.4'": ["enum34"],
     },
     classifiers=[

workos/session.py

@@ -1,9 +1,155 @@
+import json
+from typing import Any, Dict, List, Optional, Union
+import jwt
+from jwt import PyJWKClient
+from cryptography.fernet import Fernet
 
-from typing import Protocol, Union
+from workos.types.user_management.session import (
+    AuthenticateWithSessionCookieFailureReason,
+    AuthenticateWithSessionCookieSuccessResponse,
+    AuthenticateWithSessionCookieErrorResponse,
+)
 
-from workos.types.user_management.session import AuthenticateWithSessionCookieSuccessResponse, AuthenticateWithSessionCookieErrorResponse
+class SessionModule:
+    def __init__(
+        self,
+        *,
+        user_management: Any,
+        client_id: str,
+        session_data: str,
+        cookie_password: str
+    ) -> None:
+        # If the cookie password is not provided, throw an error
+        if cookie_password is None or cookie_password == "":
+            raise ValueError("cookie_password is required")
 
-class SessionModule(Protocol):
+        self.user_management = user_management
+        self.client_id = client_id
+        self.session_data = session_data
+        self.cookie_password = cookie_password
 
-    def authenticate(self) -> Union[AuthenticateWithSessionCookieSuccessResponse, AuthenticateWithSessionCookieErrorResponse]:
-        ...
+        self.jwks = self.create_remote_jwk_set(
+            self.user_management.get_jwks_url()
+        )
+        self.jwk_algorithms = [str(key.Algorithm) for key in self.jwks]
+
+        for key in self.jwks:
+            print("Key properties:", dir(key))  # This will show all available attributes
+            print("Algorithm:", key.Algorithm)
+            print("Key type:", key.key_type)
+
+    def authenticate(
+        self,
+    ) -> Union[
+        AuthenticateWithSessionCookieSuccessResponse,
+        AuthenticateWithSessionCookieErrorResponse,
+    ]:
+        if self.session_data is None:
+            return AuthenticateWithSessionCookieErrorResponse(
+                authenticated=False, reason=AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
+            )
+
+        try:
+            session = self.unseal_data(self.session_data, self.cookie_password)
+        except Exception:
+            return AuthenticateWithSessionCookieErrorResponse(
+                authenticated=False, reason=AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+            )
+
+        if not session["access_token"]:
+            return AuthenticateWithSessionCookieErrorResponse(
+                authenticated=False, reason=AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+            )
+
+        if not self.is_valid_jwt(session["access_token"]):
+            return AuthenticateWithSessionCookieErrorResponse(
+                authenticated=False, reason=AuthenticateWithSessionCookieFailureReason.INVALID_JWT
+            )
+
+        decoded = jwt.decode(
+            session["access_token"], self.jwks, algorithms=self.jwk_algorithms
+        )
+
+        return AuthenticateWithSessionCookieSuccessResponse(
+            authenticated=True,
+            session_id=decoded["sid"],
+            organization_id=decoded["org_id"],
+            role=decoded["role"],
+            permissions=decoded["permissions"],
+            entitlements=decoded["entitlements"],
+            user=session["user"],
+            impersonator=session["impersonator"],
+            reason=None,
+        )
+
+    def refresh(self, options: Optional[Dict[str, Any]] = None) -> Union[
+        AuthenticateWithSessionCookieSuccessResponse,
+        AuthenticateWithSessionCookieErrorResponse,
+    ]:
+        cookie_password = options.get("cookie_password", self.cookie_password)
+        organization_id = options.get("organization_id", None)
+
+        try:
+            session = self.unseal_data(self.session_data, cookie_password)
+        except Exception:
+            return AuthenticateWithSessionCookieErrorResponse(
+                authenticated=False, reason=AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+            )
+
+        if not session["refresh_token"] or not session["user"]:
+            return AuthenticateWithSessionCookieErrorResponse(
+                authenticated=False, reason=AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+            )
+
+        try:
+            auth_response = self.user_management.authenticate_with_refresh_token(
+                refresh_token=session["refresh_token"],
+                organization_id=organization_id,
+            )
+
+            self.session_data = auth_response.sealed_session
+            self.cookie_password = cookie_password
+
+            return AuthenticateWithSessionCookieSuccessResponse(
+                authenticated=True,
+                sealed_session=auth_response.sealed_session,
+                session=auth_response,
+                reason=None,
+            )
+        except Exception as e:
+            return AuthenticateWithSessionCookieErrorResponse(
+                authenticated=False, reason=str(e)
+            )
+
+    def get_logout_url(self) -> str:
+        auth_response = self.authenticate()
+
+        if not auth_response["authenticated"]:
+            raise ValueError(auth_response["reason"])
+
+        return self.user_management.get_logout_url(
+            session_id=auth_response["session_id"]
+        )
+
+    def create_remote_jwk_set(self, url: str) -> List[Dict[str, Any]]:
+        jwks_client = PyJWKClient(url)
+        return jwks_client.get_signing_keys()
+
+    def is_valid_jwt(self, token: str) -> bool:
+        try:
+            jwt.decode(token, self.jwks, algorithms=self.jwk_algorithms)
+            return True
+        except jwt.exceptions.InvalidTokenError as error:
+            print("invalid token", error)
+            return False
+
+    @staticmethod
+    def seal_data(data: Dict[str, Any], key: str) -> str:
+        fernet = Fernet(key)
+        # take the data and encrypt it with the key using fernet
+        return fernet.encrypt(json.dumps(data).encode())
+
+    @staticmethod
+    def unseal_data(sealed_data: str, key: str) -> Dict[str, Any]:
+        fernet = Fernet(key)
+        return json.loads(fernet.decrypt(sealed_data).decode())

workos/types/user_management/authenticate_with_common.py

@@ -1,5 +1,6 @@
 from typing import Literal, Union
 from typing_extensions import TypedDict
+from workos.types.user_management.session import SessionConfig
 
 
 class AuthenticateWithBaseParameters(TypedDict):
@@ -17,6 +18,7 @@ class AuthenticateWithCodeParameters(AuthenticateWithBaseParameters):
     code: str
     code_verifier: Union[str, None]
     grant_type: Literal["authorization_code"]
+    session: Union[SessionConfig, None]
 
 
 class AuthenticateWithMagicAuthParameters(AuthenticateWithBaseParameters):

workos/types/user_management/authentication_response.py

@@ -29,6 +29,7 @@ class AuthenticationResponse(_AuthenticationResponseBase):
     impersonator: Optional[Impersonator] = None
     organization_id: Optional[str] = None
     user: User
+    sealed_session: Optional[str] = None
 
 
 class AuthKitAuthenticationResponse(AuthenticationResponse):

workos/types/user_management/session.py

@@ -1,4 +1,4 @@
-from typing import List, Optional
+from typing import List, Optional, TypedDict
 from enum import Enum
 
 from workos.types.user_management.impersonator import Impersonator
@@ -23,3 +23,6 @@ class AuthenticateWithSessionCookieErrorResponse(WorkOSModel):
     authenticated: bool = False
     reason: AuthenticateWithSessionCookieFailureReason
 
+class SessionConfig(TypedDict):
+    seal_session: bool
+    cookie_password: str

workos/user_management.py

@@ -1,5 +1,6 @@
 from typing import Optional, Protocol, Sequence, Set, Type
 from workos._client_configuration import ClientConfiguration
+from workos.session import SessionModule
 from workos.types.list_resource import (
     ListArgs,
     ListMetadata,
@@ -43,6 +44,7 @@
     UsersListFilters,
 )
 from workos.types.user_management.password_hash_type import PasswordHashType
+from workos.types.user_management.session import SessionConfig
 from workos.types.user_management.user_management_provider_type import (
     UserManagementProviderType,
 )
@@ -109,6 +111,18 @@ class UserManagementModule(Protocol):
 
     _client_configuration: ClientConfiguration
 
+    def load_sealed_session(self, *, sealed_session: str, cookie_password: str) -> SyncOrAsync[SessionModule]:
+        """Load a sealed session and return the session data.
+
+        Args:
+            sealed_session (str): The sealed session data to load.
+            cookie_password (str): The cookie password to use to decrypt the session data.
+
+        Returns:
+            SessionModule: The session module.
+        """
+        ...
+
     def get_user(self, user_id: str) -> SyncOrAsync[User]:
         """Get the details of an existing user.
 
@@ -804,6 +818,9 @@ def __init__(
         self._client_configuration = client_configuration
         self._http_client = http_client
 
+    def load_sealed_session(self, *, session_data: str, cookie_password: str) -> SessionModule:
+        return SessionModule(user_management=self, client_id=self._http_client.client_id, session_data=session_data, cookie_password=cookie_password)
+
     def get_user(self, user_id: str) -> User:
         response = self._http_client.request(
             USER_DETAIL_PATH.format(user_id), method=REQUEST_METHOD_GET
@@ -1013,6 +1030,9 @@ def _authenticate_with(
             json=json,
         )
 
+        if payload["session"] is not None and payload["session"].get("seal_session") is True:
+            response["sealed_session"] = SessionModule.seal_data(response, payload["session"]["cookie_password"])
+
         return response_model.model_validate(response)
 
     def authenticate_with_password(
@@ -1037,16 +1057,21 @@ def authenticate_with_code(
         self,
         *,
         code: str,
+        session: Optional[SessionConfig] = None,
         code_verifier: Optional[str] = None,
         ip_address: Optional[str] = None,
         user_agent: Optional[str] = None,
     ) -> AuthKitAuthenticationResponse:
+        if session is not None and (session.get("seal_session") is True and session.get("cookie_password") is None or ""):
+            raise ValueError("cookie_password is required when sealing session")
+
         payload: AuthenticateWithCodeParameters = {
             "code": code,
             "grant_type": "authorization_code",
             "ip_address": ip_address,
             "user_agent": user_agent,
             "code_verifier": code_verifier,
+            "session": session,
         }
 
         return self._authenticate_with(